Use of data links for aeronautical purposes without compromising safety and security

ABSTRACT

A method of ensuring secure and cost effective communication of aeronautical data to and from an aircraft is provided. The method includes uplinking air-ground aircraft data communications via an aeronautical safety data link and downlinking air-ground aircraft data communications via a consumer data link separated from the aeronautical safety data link by a one-way firewall.

This application claims the benefit of U.S. Provisional Application No.60/989,760, filed on Nov. 21, 2007, and U.S. Provisional Application No.60/990,544, filed on Nov. 27, 2007, which are incorporated herein byreference in their entirety.

BACKGROUND

Traditional aeronautical data links are relatively expensive and arebecoming more congested. At the same time, the FCC recently auctionedlicenses for broadband cellular data services explicitly for use to/fromaircraft. The primary intention of this new licensed band is to provideInternet access to aircraft passengers. There are also other broadbandservices provided to aircraft passengers via SATCOM data links. WiFi(IEEE 802.11) access points at airport gates also provide broadbandservices to aircraft. These new broadband data links are attractive toairlines for use as cockpit communications data links since they wouldlikely result in lower operating costs for data link services. However,the problem of safety and security of cockpit communications has been asignificant technological challenge. The cockpit data communications arerequired for the safe operation of the aircraft. However, the problem ofsafety and security of the cockpit communications has been a significanttechnology challenge, since these cockpit data communications arerequired for the safe operation of the aircraft.

SUMMARY

The present application relates to a method of ensuring secure and costeffective communication of aeronautical data to and from an aircraft.The method includes uplinking air-ground aircraft data communicationsvia an aeronautical safety data link and downlinking air-ground aircraftdata communications via a consumer data link separated from theaeronautical safety data link by a one-way firewall.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention can be more easily understood and furtheradvantages and uses thereof more readily apparent, when considered inview of the detailed description and the following figures in which:

FIG. 1 shows a block diagram of an aeronautical communication system inaccordance with one embodiment of the present invention;

FIG. 2 shows a block diagram of a closed domain in an aeronauticalcommunication system in accordance with one embodiment of the presentinvention;

FIG. 3 shows a block diagram of a private domain in an aeronauticalcommunication system in accordance with one embodiment of the presentinvention;

FIG. 4 shows a block diagram of a public domain in an aeronauticalcommunication system in accordance with one embodiment of the presentinvention;

FIG. 5 is a flow diagram of a method to ensure secure and cost effectivecommunication of aeronautical data to and from an aircraft in accordancewith one embodiment of the present invention;

FIG. 6 is a flow diagram of a method to downlink and uplink air-groundaircraft data in accordance with one embodiment of the presentinvention; and

FIG. 7 is a flow diagram of a method to implement a one-way firewall inaccordance with one embodiment of the present invention.

In accordance with common practice, the various described features arenot drawn to scale but are drawn to emphasize specific features relevantto the present invention. Like reference characters denote like elementsthroughout figures and text.

DETAILED DESCRIPTION

In the following detailed description, reference is made to theaccompanying drawings, which form a part hereof, and in which is shownby way of illustration specific embodiments in which the inventions maybe practiced. These embodiments are described in sufficient detail toenable those skilled in the art to practice the invention, and it is tobe understood that other embodiments may be utilized and that logical,mechanical and electrical changes may be made without departing from thespirit and scope of the present invention. The following detaileddescription is, therefore, not to be taken in a limiting sense, and thescope of the present invention is defined only by the claims andequivalents thereof.

For the reasons stated above and for other reasons stated below whichwill become apparent to those skilled in the art upon reading andunderstanding the present specification, there is a need in the art fora safe and secure method of exploiting consumer data links foraeronautical purposes. Specifically, it is desirable to ensure that apassenger domain generated message sent from an aircraft or a messagesent from a ground based system to communicate with a passenger deviceon the aircraft does not intentionally or unintentionally find its wayinto the cockpit avionics systems. The cockpit avionics systems includecommunication, navigation, and surveillance systems (CNS),communications management function (CMF), and aircraft operations andcontrol avionics. It is desirable to provide this protection of thecockpit avionics system without the use of very elaborate protections orfirewalls, since such protections or firewalls can be expensive toinstall and maintain. Since cockpit avionics systems send messages overrelatively expensive, low bandwidth aeronautical data linkstraditionally used for sending safety-of-flight and/or critical safetyinformation, it is desirable for the cockpit avionics systems to haveaccess to lower cost, high bandwidth data links. Access to lower cost,high bandwidth data links will enable aircraft operators to send largerdownlink messages cost effectively. This may enable the aircraftoperators to implement new procedures which reduce their cost ofoperating the aircraft.

Embodiments of the present invention send outbound (downlink) messagesvia the consumer data link and receive the inbound (uplink) messages viatraditional aeronautical data links to which the passengers and thepublic, in general, do not have ready access via consumer electronicdevices. Embodiments use special routing logic and a simple one-wayfirewall to route and control the message traffic to and from theappropriate data links. Moreover, in embodiments, simple and foolprooffirewalls are used for allowing messages to pass in only one direction(unidirectionally) between numerous domains which utilize the samebearer data link network. By using the consumer data link for downlinkonly messages, the risk of intentional or unintentional electronicintrusion into the cockpit avionics systems by unauthorized persons orsystems can be virtually eliminated. With this approach, the aircraftoperators can receive the economic benefit of using the consumer datalink for a portion of the cockpit domain message traffic. With theaddition of simple routing protocols in the avionics and ground baseddata link communications management functions, uplinks to the aircraftcan be sent through traditional safety communications data link to thecockpit avionics, thereby providing the safety and security for messagesentering the cockpit avionics from outside of the cockpit domainboundary.

In embodiments, cockpit data link applications such as user messaging,system messaging, and application level information security logicallyreside above the multi-data link routers described herein and thereforeare not impacted by the embodiments. Message acknowledgement protocolsare addressed at the proper level of the protocol stack; some may occurat the application level of the protocol stack, others can occur lowerin the stack. For example, with an ARINC Communications Addressing andReporting System (ACARS) protocol, ARINC 618/620, the ACARS router isconfigured to expect an acknowledgement for some types of messages.Therefore, the communications management function expects theacknowledgement via the aeronautical data link in response to a downlinksent via the consumer data link. It is also possible that other cockpitavionics systems may also expect an application level acknowledgement.This application level acknowledgement could also be sent via theaeronautical data link. Therefore, the ground side router also needs tosend the acknowledgement via the aeronautical data link even though themessage was received via the consumer data link. In another embodiment,the ground communications peer 315-A, shown in FIG. 1, sends an uplinkmessage to the closed domain 104 of aircraft 103 requesting thatinformation be sent via downlink to the ground system peer 315-A. Uponreceipt of this message, the cockpit avionics system 400 initiates adownlink to ground communications peer 315-A via the consumer data link107.

Another aspect of the invention is to determine which data link to usefor downlinks based on the type of message. For example, maintenancedata collected from avionics may be large and would benefitsignificantly from the consumer data link but would only require a smalluplink message to the aircraft to acknowledge receipt of the largemessage by the ground system. Other message types might consist of largeuplinks, such as weight and balance and flight plan information fromairline operations to the aircraft. It might be simpler to handle thelarge uplinks as well as the small downlink acknowledgement via theaeronautical safety data link. Since in this case the downlink isrelatively small, little benefit would be obtained by using the consumerdata link for the downlink acknowledgement.

Still another aspect of the invention is the concept of storing non-timecritical messages on the aircraft until the aircraft can access thelowest cost data link. In this scenario, non-time critical maintenancedata, for example, would be stored on the aircraft until the aircraftarrived at a gate with access to at least one of broadband, 802.11(WiFi), and next generation communication systems. The large volume ofdownlink data is then transmitted over the consumer data link and theacknowledgement is uplinked to the aircraft via the aeronautical safetydata link.

FIG. 1 shows a block diagram of an aeronautical communication system 90in accordance with one embodiment of the present invention. Theaeronautical communication system 90 includes ground systems 300communicatively coupled to a cockpit avionics system 400 in an aircraft103.

The aeronautical communication system 90 ensures secure and costeffective communication of aeronautical data to and from the aircraft103. Specifically, the aeronautical communication system 90 uplinksair-ground aircraft data communications via an aeronautical safety datalink 105 and downlinks air-ground aircraft data communications via aconsumer data link, such as consumer data link 107-1 or 107-2. Theconsumer data links 107(1-2) are separated from the aeronautical safetydata link 105 by a one-way firewall 210.

As defined herein aeronautical data includes any data transmitted,received, processed, stored, used or in any way manipulated by anaircraft. As defined herein air-ground aircraft data communications(aeronautical data), include aeronautical safety/security data,cabin-crew data, and/or passenger data, that is exchanged between anaircraft and any mobile or fixed systems. As defined herein,aeronautical safety/security data (also referred to herein assafety/security data) includes any aeronautical data related to safetyand regularity of flight.

As defined herein the aeronautical safety data link is anycommunications link licensed and/or regulated to exchange aeronauticalsafety/security data between an aircraft and any mobile or fixedsystems. As defined herein the consumer data link is any aircraftcommunications link not classified as an aeronautical safety data link,which exchanges data such as, but is not limited to, in-flightentertainment, passenger support, and airline administrative data.

The ground systems 300 are typically part of a ground station. Theground systems 300 include a consumer data link router 310 andaeronautical data link router 305 that are each communicatively coupledto ground communications peers represented generally as groundcommunications peer 315-A and ground communications peer 315-B toindicate that the ground communications peer can have multipleinstantiations. The aeronautical data link router 305 is also referredto herein as the “aeronautical safety data link router 305.” At leastone of the consumer data link router 310, the aeronautical data linkrouter 305, and the ground communications peers 315-A and/or 315-Bincludes software (SW) (including protocols) that are executable byprocessors 311 in the ground systems 300 to perform the functionsdescribed herein as being performed by the ground systems 300. As shownin FIG. 1, the ground communications peer 315-B is communicativelycoupled to the consumer data link router 310 while the groundcommunications peer 315-A is communicatively coupled to both theaeronautical data link router 305 and the consumer data link router 310.Other configurations are possible.

The aircraft 103 has a closed domain 104 that includes the cockpitavionics system 400, a private domain 106 that includes cabin systems460, and a public domain 108 that includes passenger devices 130. Theone-way firewall 210 is between the closed domain 104 and both theprivate domain 106 and the public domain 108. The one-way firewall 210is communicatively coupled to pass the safety/security data output fromthe closed domain 104 while preventing data from entering the closeddomain 104, when the data is uplinked on the consumer data links107(1-2) to the private domain 106, and/or the data is uplinked on theconsumer data links 107(1-2) to the public domain 108.

The cockpit avionics system 400 includes the avionics communicationsmanagement function (CMF) 405. The avionics communications managementfunction 405 generates safety/security data, sends safety/security data,receives safety/security data, and routes safety/security data to andfrom other aircraft operations and control avionics. The avionicscommunications management function 405 executes downlink routingprotocols to send safety/security data from the closed domain 104 of theaircraft 103 to the ground systems 300 via a consumer data link 107-1and/or consumer data link 107-2. More than two consumer data links canbe implemented to send safety/security data from the closed domain 104of the aircraft 103 to the ground systems 300. In one implementation ofthis embodiment, the aircraft may only have one consumer data link 107-1or 107-2. The avionics communications management function 405 alsoexecutes uplinking routing protocols to receive safety/security data atthe closed domain 104 via an aeronautical safety data link 105. In oneimplementation of this embodiment, at least some of the messagesoriginate and end in the avionics communications management function405. In another implementation of this embodiment, at least some of themessages originate and end in external line replaceable units, such as aflight management computer (FMC), a central maintenance computer (CMC),and/or an avionics control and maintenance system. In yet anotherimplementation of this embodiment, the avionics communicationsmanagement function 405 is in an integrated box.

The private domain 106 includes cabin systems 460 which generate andconsume cabin-crew data. The cabin-crew data includes data sent to andfrom the ground systems 300. The cabin-crew data also includes internalaircraft data communications required to communicate between crewdevices 126 within the private domain 106. As defined herein “cabin-crewdata” is data generated by the cabin systems 460 and received from theground systems 300 by the cabin systems 460. As shown in FIG. 1, thecabin-crew data is input/output via one or more consumer data link107(1-2)

The public domain 108 includes passenger devices 130 that generatepassenger data or consumer data (including in flight entertainmentdata). As defined herein “passenger data” is generated by the passengerdevices 130 or received at passenger devices 130. The passenger devicesinclude, but are not limited to, consumer electronic devices. Passengerdata generated at the passenger devices 130 is sent to the groundsystems 300, to satellites (not shown), or to other consumercommunication links. Passenger data received at the passenger devices130 is received from the ground systems 300, from satellites (notshown), or from other consumer communication links.

As shown in FIG. 1, the passenger data is sent via the one or moreconsumer data link 107(1-2) from the private domain 106. In anotherimplementation of this embodiment, the passenger data is sent via theconsumer data link 107(1-2) from the public domain 108. In yet anotherimplementation of this embodiment, the passenger data is sent via theconsumer data link 107(1-2) from both the public domain 108 and from theprivate domain 106.

The one-way firewall 210 in the aeronautical communication system 90permits communication between the aircraft 103 and the ground systems300 as described herein for operating costs that are less than or equalto the operating costs of currently available aeronautical safety datalinks. The one-way firewall 210 passes safety/security data being outputfrom the closed domain 104. The one-way firewall 210 denies throughputto: data uplinked on the consumer data link 107(1-N); consumer data orpassenger data generated within the public domain 108 and/or the privatedomain 106; internal aircraft data communications (i.e., cabin-crewdata) that are transmitted within the private domain 106; and internalaircraft data communications (i.e., passenger data) that are transmittedwithin the public domain 108. This denial of throughput by the one-wayfirewall 210 prevents potentially damaging data from entering the closeddomain 104, while the safety/security data is downlinked on a consumerdata link 107(1-N). In some embodiments, the consumer data links 107-1and/or 107-2 are broadband consumer data links.

As shown in FIG. 1, the safety/security data is output from the closeddomain 104 via the communication link 109 and one-way firewall 210. Thecabin-crew data is output from the private domain 106 via communicationlink 609. The passenger data is output from the public domain 108 viacommunication link 607. The safety/security data on the communicationlink 109 is shown to combine with the cabin-crew data/passenger data onthe communication link 609 at a routing region represented generally at205 within the private domain 106. The communication links andcommunication devices operating within the routing region 205 are shownin detail in FIG. 3. The cabin-crew data output via the communicationlink 611 is shown to combine with the passenger data that is output viathe communication link 607 at a routing region represented generally at206 within the public domain 108. The communication links andcommunication devices operating within the routing region 206 are shownin detail in FIG. 4. In yet another implementation of this embodiment,the safety/security data is output from the closed domain 104 via thecommunication link 109 and one-way firewall 210 and is sent to theground systems 300 via one or more of the communication links 107(1-2)without any cabin-crew data or passenger data.

In one implementation of this embodiment, the routing regions 205 and206 include some common communication links and communication devices.In another implementation of this embodiment, the routing regions 205and 206 include communication links and communication devices that aredistinct from each other. In yet another implementation of thisembodiment, the routing regions 205 and 206 are both in the privatedomain 106. In yet another implementation of this embodiment, therouting regions 205 and 206 are both external to the private domain 106and the public domain 108.

In standards documents, such as ARINC 664 and ARINC 811, a four-domainreference model is standardized to include: aircraft control domain(ACD), airline information services domain (AISD), passenger informationand entertainment services domain (PIESD), and passenger-owned devicesdomain (PODD). The closed domain 104 described herein maps to theaircraft control domain. The private domain 106 described herein maps toairline information services domain and the passenger information andentertainment services domain. The public domain 108 described hereinmaps to passenger-owned devices domain.

The communication links (such as communication links 109, 609, 611, and607) internal to the aircraft 103 can be wireless communication links(for example, a radio-frequency (RF) communication link) and/or wiredcommunication links (for example, an optical fiber or copper wirecommunication link).

FIGS. 2-4 show expanded views in block diagrams for the closed domain104, the private domain 106, and the public domain 108, respectively.FIG. 2 shows a block diagram of a closed domain 104 in an aeronauticalcommunication system 90 (FIG. 1) in accordance with one embodiment ofthe present invention. The closed domain 104 includes a cockpit avionicssystem 400 in a cockpit 350. The cockpit avionics system 400 includescrew terminals 118 and cockpit avionics 402. The cockpit avionics 402includes communications, navigation, and surveillance (CNS) systems 110,an avionics communications management function (CMF) 405, and aircraftoperations and control 114, which includes, but is not limited to,systems such as the flight management computer, central maintenancecomputer, and an avionics control and maintenance system.

The avionics communications management function 405 includes hardware(HW) and software (SW) 406 and is communicatively coupled to theaircraft operations and control 114, the crew terminals 118, theprinters 226, display 225, and the CNS systems 110. The aircraftoperations and control 114 includes hardware (HW) and software (SW) 115.The aircraft operations and control 114 is communicatively coupled tothe printers 226, display 225, the crew terminals 118, and the avionicscommunications management function 405.

Only the communications radio 201 is shown in detail in the CNS systems110, although all three of the communications, navigation, andsurveillance subsystems may have radio links (data links). Communicationsubsystems provide voice and data information, at least some of which issafety-of-flight and/or critical safety data. Such safety-of-flightand/or critical safety data is referred to herein as safety/securitydata. Navigation information aids the aircraft in knowing where it is in3D space and time, while surveillance information helps the aircraft 103recognize where other aircraft and objects (weather) are locatedrelative to the aircraft's position. The navigation radios (N) and/orthe surveillance radios (S) in the CNS systems 110 can also generateand/or receive safety-of-flight and/or critical safety data. In oneimplementation of this embodiment, at least a portion of the uplinkedsafety/security data is received by the cockpit avionics system 400 viathe navigation radio (N) and/or surveillance radio (S).

As shown in FIG. 2, communications radio 201 includes hardware (HW) andsoftware (SW) 202, and satellite communications (SATCOM) 112-A. In someembodiments, other SATCOM systems are in the private domain 104 and/orthe public domain 106. The SATCOM 112-A data in the closed domain 104 isoutput to the avionics communications management function 405. In thisdepiction, SATCOM 112-A is a subset of the communications radio(s) 201on the aircraft 103. Other communications radios might be VHF, HF,and/or L-Band. In one implementation of this embodiment, crew systems(not shown) are in the cockpit avionics system 400, the private domain106, or both. Cockpit applications run on the CNS systems 110 (shown assoftware 202), the avionics communications management function 405(shown as software 406), and the aircraft operations and control 114(shown as software 115). The software 202, 406, and 115 includeprotocols to upload and download safety/security data.

Avionics communications management function 405 is a communicationsrouter for data messages that also formats messages for cockpit display225 and cockpit printers 226 that are part of the aircraft operationsand control subsystem. The cockpit 350 is communicatively coupled toreceive data, including safety/security data, from antennas representedgenerally at 613 via communication links 105. For example, if theconsumer data link is low bandwidth, the cockpit avionics system 400 maysend the non-safety/non-security data via communication link 105 to theground systems 300. In another implementation of this embodiment, thecockpit avionics system 400 is communicatively coupled to sendsafety/security data requiring low bandwidth, from antennas 613 viacommunication link 105. In this case, processors in the cockpit avionicssystem 400 execute software 202, 406 and 115 to determine if thebandwidth requirement of a message is low enough to output via thecommunication link 105.

A one-way firewall 210 is a dedicated appliance, or software runningseparately from the cockpit avionics system 400 or in the communicationsmanagement function 405 and operable to receive data output from thecockpit avionics system. The one-way firewall 210 inspects data trafficpassing through it, and denies throughput to any data from the privatedomain 106 to the closed domain 104 and also denies throughput to anydata from the public domain 108 to the closed domain 104. The one-wayfirewall 210 inspects data traffic and passes data sent from the closeddomain 104 to the private domain 106 and/or the public domain 108. Asdescribed herein the one-way firewall 210 can be a relativelyinexpensive firewall, based on the configuration of the elements in theprivate domain 106 and in the public domain 108 with respect to theclosed domain 104.

The configuration of the cockpit avionics system 400 can be differentfrom the configuration shown herein. The illustrated configuration ofthe cockpit avionics system 400 is not meant to limit embodiments of thecommunication systems within the cockpit of aircraft.

FIG. 3 shows a block diagram of a private domain 106 in an aeronauticalcommunication system 90 (FIG. 1) in accordance with one embodiment ofthe present invention. The private domain 106 includes the informationsystem 119, which includes the routing region 205. The informationsystem 119 functions as a router for the messages within the privatedomain 106. The information system 119 is communicatively coupled to theinterface 122, which may be a broadband interface 122. Optionally, theprivate domain 106 can include next generation communication systems900, an external IEEE 802.11-based-system 123, and SATCOM 112-B.

The safety/security data is received at the information system 119 fromthe closed domain 104 via communication link 109 and the one-wayfirewall 210. Cabin-crew data is received at the information system 119from the crew devices 126 via communication link 609. Passenger data isreceived at the information system 119 from the public domain 108 viacommunication link 607-B. At least a portion of the cabin-crew data,and/or at least a portion of the passenger data, and the safety/securitydata input to the information system 119 is routed at the routing region205 to be sent from the aircraft 103 (FIG. 1) via the interface 122 andthe communication link 107-1. Additionally, another portion of thecabin-crew data and/or another portion of the passenger data is outputfrom the information system 119 to be sent from the aircraft 103 via thenext generation communication systems 900, an external IEEE802.11-based-system 123, and SATCOM 112-B. In one implementation of thisembodiment, the safety/security data received at the information system119 from the closed domain 104 via communication link 109 and theone-way firewall 210 is sent from the aircraft 103 via the interface 122and the communication link 107-1 without out any cabin-crew data orpassenger data.

In another implementation of this embodiment, at least a portion of thecabin-crew data, and/or at least a portion of the passenger data, and atleast a portion of the safety/security data input to the informationsystem 119 is routed at the routing region 205 to be sent from theaircraft 103 (FIG. 1) via the the next generation communication systems900, an external IEEE 802.11-based-system 123, and/or SATCOM 112-B. Inyet another implementation of this embodiment, at least a portion of thesafety/security data is sent from the aircraft 103 (FIG. 1) via the thenext generation communication systems 900, an external IEEE802.11-based-system 123, and/or SATCOM 112-B while no cabin-crew data orpassenger data is sent from the aircraft 103.

As shown in FIG. 3, the communication link 607-B communicatively couplesthe information system 119 to the public domain 108, while thecommunication link 607-A is connected directly to SATCOM 112-B. The nextgeneration communication systems 900 is communicatively coupled toreceive data from the information system 119 and to output data from theprivate domain 106 via the consumer data link 107-2. The external IEEE802. 11-based-system 123 is communicatively coupled to receive data fromthe information system 119 and to output data from the private domain106 via the consumer data link 107-3. SATCOM 112-B is communicativelycoupled to receive data from the information system 119 and to outputdata from the private domain 106 via the consumer data link 107-N.

In one implementation of this embodiment, the information system 119 isseparate from the routing region 105. In such an embodiment, theinformation system 119 interfaces the crew devices 126 to the routingregion 105. In another implementation of this embodiment, the routingregion 205 serves as a manager of air-ground IP-based communications(a.k.a., MAGIC), which is a new routing function being contemplated byindustry standards organizations such as AEEC.

Other communication systems and/or devices can be included in theprivate domain 106. The configuration of the devices and communicationsystems in the private domain 106 can be different from theconfiguration shown herein. The illustrated configuration of the privatedomain 106 is not meant to limit embodiments of the devices andcommunication systems within the private domain 106.

FIG. 4 shows a block diagram of a public domain 108 in an aeronauticalcommunication system 90 in accordance with one embodiment of the presentinvention. The public domain 108 includes passenger devices 130, whichcan include consumer electronic devices 470. The consumer electronicdevices 470 include laptops, cell phones, personal digital assistants,and future developed consumer electronic devices. The passenger devices130 include displays for in-flight movies as well as the consumerelectronic devices 470. As shown in FIG. 4, the routing region 206 islocated in the public domain 108.

The passenger devices 130 generate passenger data. The passenger devices130 are communicatively coupled to communication link 607-A andcommunication link 607-B. In one implementation of this embodiment, thecommunication link 607-A and the communication link 607-B are the samecommunication link 607.

The configuration of the devices in the private domain 108 can bedifferent from the configuration shown herein. The illustratedconfiguration of the public domain 108 is not meant to limit embodimentsof the devices within the private domain 108.

The one-way firewall 210 (FIGS. 1-4) is configured to regulate some ofthe flow of traffic between system or networks of different trust levelswithin the aircraft 103, so that safety/security data from the closeddomain 104 is sent from the private domain 106 with some data privatedomain 106, and/or the public domain 108. As shown in FIG. 3, at leastone of at least a portion of the passenger data received from the publicdomain 108 via the communication links 607-A and 607B and at least aportion of the cabin-crew data generated by crew devices 126 in theprivate domain 104 are routed by the information system 119 to theinterface 122. In one implementation of this embodiment, the interface122 is a broadband interface 122. In this case, the safety/security datais sent from the closed domain 104 of the aircraft 103 to ground systems300 via a broad band consumer data link 107-1.

In this manner, at least one of at least a portion of the cabin-crewdata, and at least a portion of the passenger data is transmitted fromthe aircraft 103 via one of the consumer data links 107(1-N) along withthe safety/security data generated in the aircraft 103, while thecabin-crew data and the passenger data are prevented from entering theclosed domain 104 by the one-way firewall 210. The consumer data links107(1-N) are configured to send passenger data generated in the publicdomain 108 of the aircraft 103 to the ground systems 300 and to sendcabin-crew data generated in the private domain 106 from the privatedomain 106 of the aircraft 103 to the ground systems 300, while theone-way firewall 210 prevents cabin-crew data and passenger data fromentering the closed domain 104.

In one implementation of this embodiment, a memory 121 iscommunicatively coupled (as appropriate for the communication technologybeing implemented) to the information system 119 to store non-timecritical messages on the aircraft until the aircraft 103 accesses alowest cost data link, such as one of the consumer data links 107(1-N)from which to send the non-time critical messages from the privatedomain 106 and/or the public domain 108.

FIG. 5 is a flow diagram of a method 500 to ensure secure and costeffective communication of aeronautical data to and from an aircraft inaccordance with one embodiment of the present invention. In oneimplementation of this embodiment, the secure and cost effectivecommunication of aeronautical data to and from an aircraft isimplemented by the aeronautical communication system 90 as describedabove with reference to FIGS. 1-4. The method 500 is described withreference to the aeronautical communication system 90 shown in FIGS. 1-4although it is to be understood that method 500 can be implemented usingother embodiments of the aeronautical communication system as isunderstandable by one skilled in the art who reads this document.

At block 502, air-ground aircraft data communications is uplinked via anaeronautical safety data link 105. The safety/security data is uplinkedvia the aeronautical safety data link 105 to the closed domain 104 byimplementing uplink routing protocol in an aeronautical safety data linkrouter 305 in ground systems 300 to send the safety/security data to theclosed domain 104. At block 504, air-ground aircraft data communicationsis downlinked via one of the consumer data links 107(1-N) separated fromthe aeronautical safety data link 105 by a one-way firewall 210. Theair-ground aircraft data communications downlinked via at least one ofthe consumer data links 107(1-N) includes safety/security data, at leasta portion of cabin-crew data, and/or at least a portion of passengerdata. The flow diagram of method 500 is intended to illustrate that theaeronautical communication system implementing method 500 is capable ofimplementing all the functions described at blocks 502, 504, and 506.The functions of linking and routing data described with reference toblocks 502, 504, and 506 are not necessarily occurring serially or inthat order.

In one implementation of this embodiment, the functions of linking datadescribed with reference to blocks 502, 504, and 506 occursimultaneously. In another implementation of this embodiment, functionsof linking data described with reference to blocks 502, 504, and 506occur in a different order.

In another implementation of this embodiment, the avionicscommunications management function 405 includes code or algorithms todetermine a size of a message to be downlinked from a closed domain inthe aircraft is less than a lower threshold size. In such an embodiment,when the message size is lower than the minimum threshold the messagehaving a size less than the minimum threshold size is downlinked fromthe closed domain 104 via the aeronautical safety data link 105. In oneimplementation of this embodiment, the minimum threshold size is 221bytes. In another implementation of this embodiment, the minimumthreshold size is 144 bytes. In another implementation of thisembodiment, the minimum threshold size is 2064 bytes. In yet anotherimplementation of this embodiment, the minimum threshold size isvariable and is configured based on airline policy.

At block 506, internal aircraft data communications are routed betweenat least one of crew devices 126 and equipment located within a privatedomain 106 via an information system 119. Additionally, internalaircraft data communications are routed between crew devices 126 locatedwithin a private domain 106 and passenger devices located in the publicdomain 108 via the information system 119. These internal aircraft datacommunications are prevented from entering the closed domain 104 by theone-way firewall 210. The internal aircraft data communications includecabin-crew data and/or passenger data.

FIG. 6 is a flow diagram of a method 600 to downlink and uplinkair-ground aircraft data communications in accordance with oneembodiment of the present invention. In one implementation of thisembodiment, the downlinking and uplinking of the air-ground aircraftdata communications are implemented by the aeronautical communicationsystem 90 as described above with reference to FIGS. 1-4. The method 600is described with reference to the aeronautical communication system 90shown in FIGS. 1-4 although it is to be understood that method 600 canbe implemented using other embodiments of the aeronautical communicationsystem as is understandable by one skilled in the art who reads thisdocument.

At block 602, downlink routing protocols are implemented tounidirectionally output safety/security data from the closed domain 104of the aircraft 103 through the one-way firewall 210 for transmissionvia the consumer data link 107-1. In one implementation of thisembodiment, downlink routing protocols are implemented in an avionicscommunications management function 405 to unidirectionally outputsafety/security data from the closed domain 104 of the aircraft 103through the one-way firewall 210 for transmission via the consumer datalink 107-1. The consumer data link 107-1 is also referred to herein as a“first consumer data link 107-1.” At block 604, at least one of at leasta portion of the cabin-crew data and at least a portion of the passengerdata is output from a private domain 106 of the aircraft 103 fortransmission via the first consumer data link 107-1. In this manner, thesafety/security data, at least one of at least a portion of thecabin-crew data and at least a portion of the passenger data istransmitted from the aircraft 103 via the same consumer data link 107-1.The cabin-crew data and the passenger data are prevented from enteringthe closed domain by the one-way firewall 210.

At block 606, at least one of another portion of the cabin-crew data andanother portion of the passenger data is transmitted via at least oneother consumer data link 107(2-N) (i.e., a consumer data link that isnot the first consumer data link 107-1) to one or more communicationsystems external to the aircraft 103. At block 608, safety/security datais uplinked via the aeronautical safety data link 105 to the closeddomain 104. At block 610, passenger data is uplinked via at least one ofthe consumer data links 107(1-N) to the private domain 106 and/or thepublic domain 108. Uplink routing protocol is implemented in a consumerdata link router 310 in ground systems 300 to send the passenger data tothe private domain 106 and the public domain 108 in the aircraft 103. Inone implementation of this embodiment, the passenger data is uplinkedvia the consumer data link 107-1 to the private domain 106 and thepublic domain 108. As defined herein passenger data (consumer data)includes data that is generated external to the aircraft 103 and that issent to the passenger devices 130 as well as data that is generated inby the passenger devices 130 in the public domain 108 and sent to theprivate domain 104 and/or is sent external to the aircraft 103.

At block 612, message acknowledgements of the safety/security datareceived at ground systems 300 are uplinked to the closed domain 104 ofthe aircraft via the aeronautical safety data link 105. If theacknowledgement is not received within a configurable amount of time,the original message is retransmitted via the original communicationspath.

FIG. 7 is a flow diagram of a method to implement a one-way firewall inaccordance with one embodiment of the present invention. The method 700is described with reference to the one-way firewall 210 shown in FIGS.1-4 although it is to be understood that method 700 can be implementedusing the one-way firewall 210 in other configurations of theaeronautical communication systems (including aeronautical communicationsystems that include systems yet to be developed) as is understandableby one skilled in the art who reads this document.

At block 702, data traffic that is received at the one-way firewall 210is inspected. At block 704, data received from a closed domain 104 ofthe aircraft 103 is passed based on the inspection by the one-wayfirewall 210. At block 706, throughput is denied to data received from aprivate domain 106 of the aircraft 103 based on the inspection by theone-way firewall 210. At block 708, throughput is denied to datareceived from a public domain of the aircraft 103 based on theinspection by the one-way firewall 210.

Although specific embodiments have been illustrated and describedherein, it will be appreciated by those of ordinary skill in the artthat any arrangement, which is calculated to achieve the same purpose,may be substituted for the specific embodiment shown. This applicationis intended to cover any adaptations or variations of the presentinvention. Therefore, it is manifestly intended that this invention belimited only by the claims and the equivalents thereof.

What is claimed is:
 1. A method of ensuring secure and cost effectivecommunication of aeronautical data to and from an aircraft, the methodcomprising: uplinking air-ground aircraft data communications via anaeronautical safety data link, wherein the aeronautical safety data linkis a communications link licensed and/or regulated to exchangesafety/security data between the aircraft and at least one of a mobilesystem and a fixed system; implementing downlink routing protocols tooutput the safety/security data from a closed domain of the aircraftthrough a one-way firewall and through at least one of a private domainof the aircraft and a public domain of the aircraft; and downlinkingair-ground aircraft data communications, including the safety/securitydata, from the respective at least one of the private domain of theaircraft and the public domain of the aircraft to a ground system via aconsumer data link separated from the aeronautical safety data link bythe one-way firewall.
 2. The method of claim 1, wherein uplinkingair-ground aircraft data communications via the aeronautical safety datalink comprises: uplinking message acknowledgements of thesafety/security data received at ground systems from the closed domainof the aircraft via the aeronautical safety data link.
 3. The method ofclaim 1, further comprising: outputting cabin-crew data from the privatedomain of the aircraft; and outputting passenger data from the publicdomain of the aircraft, wherein the safety/security data, at least oneof at least a portion of the cabin-crew data, and at least a portion ofthe passenger data is transmitted from the aircraft via the consumerdata link, wherein the cabin-crew data and the passenger data areprevented from entering the closed domain by the one-way firewall. 4.The method of claim 1, wherein the consumer data link is a firstconsumer data link, the method further comprising: transmitting at leastone of another portion of the cabin-crew data and another portion of thepassenger data via at least one other consumer data link.
 5. The methodof claim 1, wherein uplinking air-ground aircraft data communicationsvia an aeronautical safety data link comprises: uplinkingsafety/security data via the aeronautical safety data link to the closeddomain.
 6. The method of claim 5, wherein uplinking the safety/securitydata via the aeronautical safety data link to the closed domaincomprises implementing uplink routing protocol in an aeronautical safetydata link router in ground systems to send the safety/security data tothe closed domain.
 7. The method of claim 1, further comprising:uplinking passenger data via the consumer data link to at least one ofthe private domain and the public domain.
 8. The method of claim 1,further comprising: routing internal aircraft data communicationsbetween crew devices within the private domain via an informationsystem, wherein the internal aircraft data communications are preventedfrom entering the closed domain by the one-way firewall.
 9. The methodof claim 1, further comprising: inspecting data traffic received at theone-way firewall; passing data received from the closed domain of theaircraft based on the inspecting; denying throughput to data receivedfrom the private domain of the aircraft based on the inspecting; anddenying throughput to data received from the public domain of theaircraft based on the inspecting.
 10. The method of claim 1, furthercomprising: determining a size of a message to be downlinked from theclosed domain in the aircraft is less than a minimum threshold size; anddownlinking the message having a size less than the minimum thresholdsize from the closed domain via the aeronautical safety data link. 11.An aeronautical communication system comprising: an avionicscommunications management function; and a one-way firewall, wherein theavionics communications management function is executable by a processorconfigured to execute downlink routing protocols to send safety/securitydata from a closed domain of an aircraft, through a one-way firewall andthrough at least one of a private domain of the aircraft and a publicdomain of the aircraft, to ground systems via a consumer data link, theavionics communications management function further configured toexecute uplinking routing protocols to receive safety/security data atthe closed domain via an aeronautical safety data link, wherein theaeronautical safety data link is a communications link licensed and/orregulated to exchange the safety/security data between the aircraft andat least one of a mobile system and a fixed system, and wherein theone-way firewall is communicatively coupled to pass the safety/securitydata output from the closed domain, and the one-way firewall isconfigured to prevent data from entering the closed domain when the datais at least one of uplinked on the consumer data link to the privatedomain, and uplinked on the consumer data link to the public domain. 12.The aeronautical communication system of claim 11, further comprising:the ground systems, wherein the ground systems include: a consumer datalink router configured to receive the safety/security data output fromthe closed domain via the consumer data link, a ground communicationspeer communicatively coupled to the consumer data link router, and anaeronautical safety data link router communicatively coupled to theground communications peer, the aeronautical safety data link routerconfigured to send safety/security data to the avionics communicationsmanagement function via the aeronautical safety data link.
 13. Theaeronautical communication system of claim 11, wherein the consumer datalink is further configured to send at least one of passenger data fromthe public domain of the aircraft to the ground systems and cabin-crewdata from the private domain of the aircraft to the ground systems,wherein the one-way firewall prevents the cabin-crew data and thepassenger data from entering the closed domain.
 14. The aeronauticalcommunication system of claim 11, wherein the consumer data link is abroad band consumer data link.
 15. The aeronautical communication systemof claim 11, further comprising: a memory to store non-time criticalmessages on the aircraft until the aircraft accesses a lowest cost datalink.
 16. An aeronautical communication system comprising: groundsystems, wherein the ground systems include: a consumer data link routerconfigured to receive via a consumer data link the safety/security dataoutput from a closed domain in an aircraft via the consumer data link; aground communications peer communicatively coupled to the consumer datalink router, the ground communications peer configured to send consumerdata to at least one of a private domain in the aircraft and a publicdomain in the aircraft via the consumer data link; and an aeronauticalsafety data link router communicatively coupled to the groundcommunications peer, the aeronautical safety data link router configuredto send safety/security data to an avionics communications managementfunction in the closed domain of the aircraft via an aeronautical safetydata link, wherein the aeronautical safety data link is a communicationslink licensed and/or regulated to exchange the safety/security databetween the aircraft and at least one of a mobile system and a fixedsystem; and at least one processor to execute software in the consumerdata link router, the ground communications peer, and the aeronauticalsafety data link router.
 17. The aeronautical communication system ofclaim 16, further comprising: the avionics communications managementfunction in the aircraft configured to execute downlink routingprotocols to output safety/security data from the closed domain of theaircraft via the consumer data link and configured to execute uplinkingrouting protocols to receive the safety/security data at the closeddomain via the aeronautical safety data link; and a one-way firewallcommunicatively coupled to receive the safety/security data output fromthe closed domain, the one-way firewall configured to prevent data fromentering the closed domain, when the data is at least one of uplinked onthe consumer data link to the private domain, and uplinked on theconsumer data link to the public domain.
 18. The aeronauticalcommunication system of claim 17, wherein the one-way firewall isfurther configured to prevent internal aircraft data communications sentbetween crew devices within the private domain from entering the closeddomain.
 19. The aeronautical communication system of claim 17, whereinthe one-way firewall is further configured to prevent cabin-crew dataand passenger data from entering the closed domain.
 20. A system toensure secure and cost effective communication of aeronautical data toand from an aircraft, the system comprising: means for uplinkingair-ground aircraft data communications, wherein the means for uplinkingis licensed and/or regulated to exchange safety/security data betweenthe aircraft and at least one of a mobile system and a fixed system;means for implementing downlink routing protocols to output thesafety/security data from a closed domain of the aircraft through aone-way firewall and through at least one of a private domain of theaircraft and a public domain of the aircraft; and means for downlinkingair-ground aircraft data communications, including the safety/securitydata, from the respective at least one of the private domain of theaircraft and the public domain of the aircraft to a ground system, themeans for downlinking air-ground aircraft data communications beingseparated from the means for uplinking air-ground aircraft datacommunications by the one-way firewall.
 21. The system of claim 20,further comprising: means for outputting cabin-crew data from theprivate domain of the aircraft; and means for outputting passenger datafrom the public domain of the aircraft, wherein the safety/securitydata, at least one of at least a portion of the cabin-crew data, and atleast a portion of the passenger data is transmitted from the aircraftvia the means for downlinking air-ground aircraft data communications,and wherein the cabin-crew data and the passenger data are preventedfrom entering the closed domain.
 22. The system of claim 20, furthercomprising: means for routing internal aircraft data communicationsbetween crew devices within the private domain, wherein the internalaircraft data communications are prevented from entering the closeddomain by the one-way firewall.
 23. The system of claim 20, furthercomprising: means for inspecting data traffic received at the one-wayfirewall; means for passing data received from the closed domain of theaircraft based on the inspecting; means for denying throughput to datareceived from the private domain of the aircraft based on the means forinspecting; and means for denying throughput to data received from thepublic domain of the aircraft based on the means for inspecting.
 24. Thesystem of claim 20, further comprising: means for determining a size ofa message to be downlinked from the closed domain in the aircraft isless than a minimum threshold size; and means for downlinking themessage having a size less than the minimum threshold size from theclosed domain via the means for uplinking air-ground aircraft datacommunications.